Kevin Zoll

Emsisoft Employee
  • Content Count

    18777
  • Joined

  • Last visited

  • Days Won

    177

Everything posted by Kevin Zoll

  1. Hello @R.Prince, Welcome to the Emsisoft Support Forums. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  2. Hello @masanttos, Welcome to the Emsisoft Support Forums. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  3. Hello @krishna thanki, Welcome to the Emsisoft Support Forums. What does "Remote name could not be resolved" mean? It's an indication of a DNS issue. Our first recommendation is to reset your HOSTS file back to default. Microsoft has an article about this at the following link: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
  4. Run a fresh scan with FRST, attach the new FRST scan reports to your reply. How are things running?
  5. You are welcome. Happy to be of assistance.
  6. Hello @William Lee, Thank you for contacting Emsisoft Support. BBOO is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the BBOO variant of STOP/DJVU. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  7. @Marcos Antonio If our decryption tool states that the files cannot be decrypted, then they cannot be decrypted. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  8. Hello @lucky2345 Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  9. @Varun File pairs can be submitted to https://decrypter.emsisoft.com/submit/stopdjvu/
  10. @Mike77 Yes, backup the encrypted files and store them somewhere safe, in the event that we are able to decrypt the files at some point in the future.
  11. Do not coy & paste logs to your replies. The instructions call for all logs to be attached for a reason. You can have RogueKiller delete everything it found.
  12. @waleed elhoseny You are using an older version of our decryption tool. Version 1.0.0.4 is the latest version of the STOP/DJVU decrypter. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
  13. If our decryption tool states that the files cannot be decrypted, then the files cannot be decrypted. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  14. @Nauman If our decryption tool states that it cannot decrypt your files, then the files cannot be decrypted. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  15. @Mike77 Your FRST reports no longer show malware. The malware that was present has been successfully deactivated and removed.
  16. @kehinde @Jaykishan If our database has a decryption key matching the ID of the file, then that key can be used to decrypt your files. If the decryption tools states that the files cannot be decrypted, that is because we do not have the decryption key for those files. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  17. Hello @Agha Ali, Welcome to the Emsisoft Support Forums. If our decryption tool states that the files cannot be decrypted, then they cannot be decrypted. General Notes With Regards to STOP/DJVU If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the decryption keys in our database, then our decryption tool will be able to decrypt those files that were encrypted using that key. New Variant STOP/DJVU utilizes the RSA encryption algorithm. RSA is considered a secure encryption method and is unbreakable using current technologies. It is not reversible, cannot be cracked, and we are not able to generate a decryption key. So do not send us encrypted files thinking we can recover your decryption key, we can't. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  18. @Mike77 Run a fresh scan with FRST, attach the new FRST reports to your reply.
  19. Changing tools. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. Right-click RogueKiller.exe and select Run As Administrator to run the tool. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.
  20. @Mike77 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-2839862633-4155940622-1829493113-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 Startup: C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rvfgrhjf.lnk [2020-01-25] ShortcutAndArgument: rvfgrhjf.lnk -> C:\Windows\System32\cmd.exe => /c start "" "C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf\svjticje.exe" CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION S2 Main Service; C:\Program Files (x86)\MachinerData\DVD43.exe 1 [X] S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [X] 2020-01-26 16:02 - 2020-02-03 20:37 - 000000000 ____D C:\Program Files\KMSpico 2020-01-25 18:19 - 2020-02-02 22:25 - 000000000 ____D C:\Users\M.HajAli\AppData\Roaming\Z66488341 2020-01-25 18:19 - 2020-02-02 22:25 - 000000000 ____D C:\Users\M.HajAli\AppData\Roaming\Z44396531 2020-01-25 18:19 - 2020-01-25 18:19 - 000000049 _____ C:\Users\M.HajAli\AppData\Local\script.ps1 2020-01-25 18:18 - 2020-01-25 18:18 - 000000000 ____D C:\ProgramData\2KJS93X1EXOEGAUCUCLDZNV4A 2020-01-25 18:19 - 2020-01-25 18:19 - 000000049 _____ () C:\Users\M.HajAli\AppData\Local\script.ps1 C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf\svjticje.exe C:\Users\M.HajAli\AppData\Roaming\Microsoft\Windows\rvfgrhjf ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File AlternateDataStreams: C:\Users\M.HajAli:.repos [6042680] AlternateDataStreams: C:\Users\M.HajAli\Desktop\Wish List.xlsx.topidentifier:$DATA [50] HKU\S-1-5-21-2839862633-4155940622-1829493113-1001\...\StartupApproved\StartupFolder: => "rvfgrhjf.lnk" FirewallRules: [{BDBB6A12-A269-46F5-837F-041BD20B88E8}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe No File FirewallRules: [{68AC56EE-B358-48E3-BBEB-B8017959552C}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe No File FirewallRules: [{B4745770-A60A-4A25-92E4-A5A7EC3F692D}] => (Allow) C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe No File FirewallRules: [{B264D7B5-45BC-4B4D-A76B-00700CA7028B}] => (Allow) C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe No File FirewallRules: [{820DCB93-3883-477F-854B-4837FD05FF5F}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe No File FirewallRules: [{C5B43993-5600-493C-BAFB-B3B7B15F6077}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe No File Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk -> C:\Program Files\KMSpico\AutoPico.exe (No File) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk -> C:\Program Files\KMSpico\KMSELDI.exe (No File) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\Log KMSpico.lnk -> C:\Program Files\KMSpico\scripts\Log.cmd () Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  21. If the decryption tool is telling you that the files cannot be decrypted, then they cannot be decrypted. STOP/DJVU NOTES: If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches one of the keys in our database, then our decryption tool will be able to decrypt those files. Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  22. Hello @Muhammadmeer, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  23. Hello @JuniorXcoder, Thank you for contacting Emsisoft Support. BBOO is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the BBOO variant of STOP/DJVU. NOTES: If the decryption tool tells you the files cannot be decrypted, then they cannot be decrypted. That is not an error message. If your file(s) have an Online ID that means that the file(s) encryption keys were generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys. If your files(s) have an Offline ID and were not decrypted it is because we do not have the corresponding decryption key in our database. Do not ask us when we plan on adding it, because we do not have it or a way for generating your decryption key. Our database does include some Offline ID decryption keys for newer variants of the STOP/DJVU family of ransomware. If the file(s) were encrypted with an Offline ID that matches one of the keys in our database, then our decryption tool will be able to decrypt those files encrypted using that encryption key. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.