Kevin Zoll

Emsisoft Employee
  • Content Count

    18822
  • Joined

  • Last visited

  • Days Won

    177

Everything posted by Kevin Zoll

  1. @athul Your personal ID: 0198nTsddS3wnrGHb25jELGAwoOjfGDAONcPEMy6oijuyR0a5 This is an online ID and as such our decryption tool cannot decrypt files that were encrypted using an online ID.
  2. @vikram chavan That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  3. Hello @Benjie, Welcome to the Emsisoft Support Forums. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. () [File not signed] C:\Users\Benjie Santiago\AppData\Roaming\Vysor\crx\gidgenkbbabolejbgbpnhbimgjbffefm\app-2.2.6.crx-unpacked\native\win32\adb.exe HKLM\...\Policies\Explorer: [ConfirmFileDelete] 0 HKLM\...\Policies\Explorer: [HideSCAHealth] 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION Startup: C:\Users\Benjie Santiago\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stay On Top.lnk [2019-12-16] ShortcutTarget: Stay On Top.lnk -> C:\Users\Benjie Santiago\AppData\Roaming\Microsoft\Installer\{5C6C0192-BA75-4932-8931-B2FF88346E49}\_16dd6dc4.exe (No File) GroupPolicy: Restriction ? <==== ATTENTION BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File 2020-01-20 09:23 - 2019-10-22 03:51 - 000002930 _____ C:\Windows\e.bat 2020-01-20 09:23 - 2019-07-31 00:00 - 000004608 _____ () C:\Windows\e.exe 2020-01-20 08:58 - 2020-01-20 08:58 - 000000028 _____ C:\Windows\tmp_lkdj23df2 2020-01-20 08:56 - 2020-01-20 12:28 - 000000000 ____D C:\Users\Benjie Santiago\AppData\Roaming\n240ko045ti 2020-01-20 08:48 - 2020-01-20 08:49 - 000000000 ____D C:\ProgramData\2PR6BV9QD1I9BK42OVFZPW1LF 2020-01-20 08:48 - 2020-01-20 08:48 - 000000049 _____ C:\Users\Benjie Santiago\AppData\Local\script.ps1 2020-01-20 08:47 - 2020-01-20 12:28 - 000000000 ____D C:\Users\Benjie Santiago\AppData\Roaming\eytfih1ylk5 2020-01-20 08:47 - 2020-01-20 08:47 - 000000000 ____D C:\ProgramData\{FB162844-05BE-A566-C618-E529C6FFBC78} 2020-01-20 08:47 - 2020-01-20 08:47 - 000000000 ____D C:\ProgramData\{66F458D0-752A-3884-5268-07B4528F5EE5} 2020-01-20 08:48 - 2020-01-20 08:48 - 000137168 _____ (Mozilla Foundation) C:\ProgramData\mozglue.dll 2020-01-20 08:48 - 2020-01-20 08:48 - 001246160 _____ (Mozilla Foundation) C:\ProgramData\nss3.dll 2020-01-25 07:58 - 2020-01-25 07:58 - 000000000 _____ () C:\Users\Benjie Santiago\AppData\Roaming\{76BE5B84-EB32-45DC-9563-2E5604DC949B} 2020-01-20 08:48 - 2020-01-20 08:48 - 000000049 _____ () C:\Users\Benjie Santiago\AppData\Local\script.ps1 AlternateDataStreams: C:\Users\Benjie Santiago:.repos [6042670] Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  4. @Vicky You just click the fix button once and it will load fixlist.txt and run the contents of the file. If it does not run make sure that both FRST and fixilist.txt are actually in the same folder with each other.
  5. This is an online ID. As such your files encrypted with an online ID cannot be decrypted.
  6. Everything should be It should be OK to try the STOP decrypter.
  7. The active infection should be gone, but I want to take another look. Run a fresh scan with FRST and attach the new FRST reports to your reply.
  8. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242\EC67.tmp.exe C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242 C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2\dreamtrips_mix1.exe C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2 C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\0ZnTo1JjqgmJNDsv8MsX.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\eJw05ABKDl=.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5 C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf\fish.exe C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln\ytbticket.exe C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim\forinstalls.exe C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim C:\Windows\windows.vbs Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  9. @Reggia99 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. (Psiphon Inc. -> ) C:\Users\ELITE\Downloads\psiphon3(1).exe.orig HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => "C:\Users\ELITE\AppData\Local\Temp\systm.exe" .. <==== ATTENTION 2020-01-24 11:54 - 2020-01-24 11:58 - 006978160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe 2020-01-24 11:54 - 2020-01-24 11:55 - 006658160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe.orig 2020-01-20 14:24 - 2020-01-24 11:58 - 000000000 ____D C:\Users\ELITE\AppData\Roaming\Psiphon3 Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  10. @akin The ID is any offline ID. The only way to know if it is decryptable or not is to run the decryption tool. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  11. @MrSalazar Screenshots are of no use to us when it comes to extracting the data necessary to form a fix. Please attach the EEK scan report to your reply.
  12. Hello @babisk, Welcome to the Emsisoft Support Forums. The ID you provided is an online ID and as such files that were encrypted with an online ID cannot be decrypted using third-party decryption tools.
  13. @Ali Raza It is not possible to decrypt STOP/DJVU encrypted files that were encrypted with an Online ID using third-party decryption tools, unless the decryption service was able to obtain the decryption key. Anyone who claims to be able to decrypt files that no one has publicly released a free decryption tool is either the criminals themselves or working with the criminals. Who did you send your files to?
  14. Hello, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  15. @Vicky I replied to your support thread just a bit ago. See my instructions in my reply to your post in that thread.
  16. Hello @Vicky, Welcome to the Emsisoft Support Forums. The system does not appear to have an active malware infection. There are a few things showing in the FRST scan reports that should be addressed before doing anything else. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. GroupPolicy\User: Restriction ? <==== ATTENTION FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION 2020-01-19 20:01 - 2020-01-19 20:02 - 000000000 ____D C:\ProgramData\I9KQPJQ1YQNPPALO2IE1IGEJ7 2020-01-18 11:28 - 2020-01-18 11:29 - 000000000 ____D C:\ProgramData\4EBR3QTLGPPXA7O7UKM0WQPCX Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. TheKODC extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated last year, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  17. @Reggia99 The FRST fix appears to have removed everything that was targeted for removal. Let's get a fresh set of logs from FRST. Run a fresh Scan and attach the resulting scan reports to your reply.
  18. @elhakim I can see from the FRST reports that you tried to fix this yourself. Though a fairly typical and understandable reaction, it is the wrong thing to do. First, you run the very real chance of rendering your system inoperable, and second there are ransomware variants that if removed, will make it impossible to decrypt the files. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Startup: C:\Users\muham\AppData\Roaming\Microsoft\Credentials\2428593\muham.lnk [2020-01-21] ShortcutTarget: muham.lnk -> C:\Program Files (x86)\Seed Trade\Seed\seed.exe (No File) S3 VSScanner; system32\DRIVERS\vsscanner.sys [X] Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  19. @Reggia99 This is what happens when you use software cracks and software that bypasses activation & licensing checks. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. () [File not signed] C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe (@ByELDI -> @ByELDI) [File not signed] C:\Program Files\KMSpico\Service_KMS.exe HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [IDMan] => C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe /onboot HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => C:\Users\ELITE\AppData\Local\Temp\systm.exe .. [143360 2020-01-22] () [File not signed] <==== ATTENTION HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [SysHelper] => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed] Startup: C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe [2020-01-22] () [File not signed] CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION CHR HKU\S-1-5-21-2733843967-2851411726-668708617-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Task: {21E9A013-951F-4642-A689-7F41333D3333} - System32\Tasks\{EF8B4B0E-0DB2-43A6-9ADE-73E476E68F36} => C:\Windows\system32\pcalua.exe -a C:\Users\ELITE\Desktop\setup-antimalware-fix.exe -d C:\Users\ELITE\Desktop Task: {472C1014-5966-4056-A20F-4F7B661295D8} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [985792 2015-07-22] (@ByELDI -> @ByELDI) [File not signed] Task: {78B90FE6-5587-4ACB-ABFE-C1340D4F0660} - System32\Tasks\{F8B58B6D-37E2-43A1-BE2B-56E42B7BA52B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\idman519.exe" -d "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked" Task: {7F55E9F5-071D-4FAE-B034-FD43328A90A5} - System32\Tasks\vmdgiuqzkckchxb => msiexec.exe /quiet /i "C:\Users\ELITE\AppData\Roaming\porjbsuuomwf\mssypkgmnwzyolm.msi" WEBID=STAGE2_PM_P1 TKNME=vmdgiuqzkckchxb Task: {819F80EF-B423-4205-974E-6707E5F1783A} - System32\Tasks\gpjhsrnucvcet => msiexec.exe /quiet /i Task: {AD87446A-0A10-4CC5-AB4E-118C71A30045} - System32\Tasks\Time Trigger Task => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed] Task: {BD4595FB-CBE2-4833-9B45-886075F74421} - System32\Tasks\{1843AF6A-EE8C-4D5A-9FC9-B368A806F95B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\Uninstall.exe" -d C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4 -c -instlsp1 Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(1): mshta.exe -> "http://update.drp.su/nps/offline/bin/tools/run.hta" "17.7.33 Offline" "1563949582624" "686e31f9-d09f-4a82-bf23-f84c513d7537" Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(2): SCHTASKS -> /Delete /TN DRPNPS /F Task: {FE6C6162-D3EA-43C8-B305-5E20A7BD8258} - System32\Tasks\{46222C45-E984-4CB4-A9BC-C57521D11103} => C:\Windows\system32\pcalua.exe -a G:\Encarta\ADMSETUP.EXE -d G:\Encarta Winsock: Catalog9 01 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 02 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 03 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 04 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 05 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 06 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 07 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 08 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 09 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 10 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 22 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) ManualProxies: 1http=127.0.0.1:61541;https=127.0.0.1:61541;socks=127.0.0.1:61540 BHO-x32: IDMIEHlprObj Class -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMIECC.dll [2010-04-26] (Tonec Inc. -> Tonec Inc.) FF user.js: detected! => C:\Users\ELITE\AppData\Roaming\Mozilla\Firefox\Profiles\a7fes3m2.default-release\user.js [2019-09-17] FF Plugin-x32: @adobe.com/AuthorwarePlayer -> C:\Windows\system32\Macromed\AUTHORWA\np32asw.dll [No File] FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1218158.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File] R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [985280 2015-07-22] (@ByELDI -> @ByELDI) [File not signed] ShellIconOverlayIdentifiers: [ IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => G:\Users\adewunmi\Desktop\IDM 5.19.2.0 Cracked\IDMShellExt64.dll -> No File FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe No File FirewallRules: [TCP Query User{E666B5D1-4247-4B2A-8643-0390C147EBA8}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File FirewallRules: [UDP Query User{EB63A870-A908-44A0-8A49-97E0DAA73F72}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File FirewallRules: [{F97B1F60-6626-4333-951B-BD4BB4D1DAFD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed] FirewallRules: [{2C42D19B-1022-42F1-8EA8-A7722217EAF1}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed] C:\Program Files\KMSpico\AutoPico.exe C:\Program Files\KMSpico\KMSELDI.exe C:\Program Files\KMSpico\Service_KMS.exe C:\Program Files\KMSpico C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17 C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q\amix[1] C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M\2f8a0fe3ae4f1ea2dbe95cd0da034588.exe C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup\winnm\winnm32.dll C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup C:\Users\ELITE\AppData\Local\Temp\KMSpico_setup.exe C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0\wyfdggb.exe C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0 C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV\3830a7e784f597db266e22ead81fb058.exe C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV C:\Users\ELITE\AppData\Local\Temp\net.exe C:\Users\ELITE\AppData\Local\Temp\systm.exe C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\kms.exe C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator) C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator) C:\Windows\System32\Tasks\Time Trigger Task C:\Windows\System32\Tasks\gpjhsrnucvcet C:\Windows\System32\Tasks\vmdgiuqzkckchxb C:\Windows\SysWOW64\idmmbc.dll C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4 C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE C:\Users\ELITE\AppData\Roaming\IDM\DwnlData C:\Users\ELITE\AppData\Roaming\IDM Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  20. @Reggia99 Whenever you have the two reports from FRST, I will review when I am able to. Usually, within a few hours of the logs being posted. However, it may take up to 24-hours before I can get to them.
  21. Hello @elhakim, Welcome to the Emsisoft Support Forums. What is the Personal ID in the Readme ransom note. Some variants of STOP are known to install malware to ensure that newly added files are encrypted. Let's make sure that there is not an active malware infection present, and if there is we can remove it. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  22. @Anbu Some STOP variants are known to install malware in order to ensure that newly added files are encrypted. Let's make sure the is no active malware infection present, and it there is then we can remove it. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  23. @ferko85 Let’s deal with the active malware infection before attempting to recover your files. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  24. Hello @Reggia99, Welcome to the Emsisoft Support Forums. Let's deal with the active malware infection before attempting to recover your files. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  25. Hello @COnsu1, Welcome to the Emsisoft Support Forums.