Kevin Zoll

Emsisoft Employee
  • Content Count

    18777
  • Joined

  • Last visited

  • Days Won

    177

Everything posted by Kevin Zoll

  1. We do not accept donations for our work. If you wish to purchase Emsisoft Anti-Malware a link is in my signature. You can run the decrypter as many times as needed. However, if there is no key for the files it will not be able to decrypt those files.
  2. @Vicky Run our decryption tool again we added several offline keys over the past few days. Might get lucky and one might be a match.
  3. @guri @jrozasv We recently added offline keys for ALKA and REPP. Run the STOPdjvu decrypter again.
  4. @SalasKafa If connection is lost for any reason then that could trigger the error yo got.
  5. Hello @btosinfected2020, Welcome to the Emsisoft Support Forums. What is the ID that our decryption tool identified? If it is an Online ID then we are not able of decrypt the files as we are not in possession of online encryption keys.
  6. As stated in my original post this variant is not supported by our decryption tool. I had you run the tool for the sole purpose of deactivating and removing any malware installed by STOP/DJVU.
  7. It's always possible. We added two offline keys over the weekend. It really depends on whether our not we are given the key by someone who has paid the ransom.
  8. Hello @m2413, Welcome to the Emsisoft Support Forums. Though those are offline IDs our decryption tool cannot decrypt your files as we are not in possession of the decryption key that matches your offline ID.
  9. Hello @Shiladitya Dey, Welcome to the Emsisoft Support Forums. The ID you supplied is an online ID, meaning that the files cannot be decrypted. An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. There is more information available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  10. Hello Jay92, Welcome to the Emsisoft Support Forums. An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. There is more information available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  11. Hello @jrozasv, Welcome to the Emsisoft Support Forums. Though those are offline IDs our decryption tool cannot decrypt your files as we are not in possession of the decryption key that matches your offline ID.
  12. Hello @TASSIN, Welcome to the Emsisoft Support Forums. The copy of Emsisoft Emergency Kit you are using is old and outdated. Please download and use the newest version of Emsisoft Emergency Kit. You can download it from https://dl.emsisoft.com/EmsisoftEmergencyKit.exe
  13. Hello @mohammadali_149, Thank you for contacting Emsisoft Support. KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  14. @Vicky I'm not seeing anything malicious in the FRST reports. There is some minor issues that should be addressed. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. S2 MBAMInstallerService; C:\Users\Vicky\AppData\Local\Temp\MBAMInstallerService.exe [5224144 2020-01-27] (Malwarebytes Inc -> Malwarebytes) <==== ATTENTION S1 fsuntrqk; \??\C:\WINDOWS\system32\drivers\fsuntrqk.sys [X] ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File FirewallRules: [{8120D0A3-B879-423E-B34F-66DC6B1BC843}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File FirewallRules: [{2DA15E6F-F9D4-4B7A-85C1-44DC6ECCD30F}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File FirewallRules: [{9B1D43E2-39DC-4B82-A8F1-AC624CAA7B76}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File FirewallRules: [{7E56B557-EA3F-4193-91CB-09157A4901F0}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File FirewallRules: [{B74FF42E-CD71-4EC6-BB77-40F98B5A61DD}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File FirewallRules: [{56BE0716-43C7-4CB4-A2F6-071DEA731021}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File FirewallRules: [{ACAE2957-F8DB-435B-B108-FA186577F60D}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File FirewallRules: [{A62D2840-6868-4A4F-BA28-6E7029002D4C}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  15. @Able if our decryption tool is unable to determine the decryption key for your files, then it is not possible to decrypt the files.
  16. If our decryption tool is unable to determine the decryption key(s) for your files, then they cannot be decrypted.
  17. @Amah benedict All the IDs in your post are Online IDs and as such our decryption tool cannot decrypt your files.
  18. Hello @shyam punjabi, Welcome to the Emsisoft Support Forums. NOSU is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the NOSU variant of STOP/DJVU. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  19. @[email protected] The decrypter that was sent to Yosef Immannuel will not work for your files. It is unique to his files.
  20. Hello @Ricardo Landivar, Thank you for contacting Emsisoft Support. NPSG is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the NPSG variant of STOP/DJVU. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  21. @Vicky Let's take a fresh look. Run fresh scan FRST, attach the new FRST scans to your reply. Be sure to let me know how things are running.
  22. @Rohith It's the same answer for offline IDs. Until such time that we get a encryption key matching the offline ID for your files they will remain undecryptable.
  23. Thread Closed Reason: Resolved PM either Kevin, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  24. Thread Closed Reason: Resolved PM either Kevin, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  25. Hello @sulaiman, Welcome to the Emsisoft Support Forums. The ID in the ransom note is an Online ID. Meaning that our tool more than likely cannot decrypt your files. However, you files could have more different IDs. Please run our decryption anyway. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu