Kevin Zoll

Emsisoft Employee
  • Content Count

    18703
  • Joined

  • Last visited

  • Days Won

    176

Everything posted by Kevin Zoll

  1. @Reggia99 The FRST fix appears to have removed everything that was targeted for removal. Let's get a fresh set of logs from FRST. Run a fresh Scan and attach the resulting scan reports to your reply.
  2. @elhakim I can see from the FRST reports that you tried to fix this yourself. Though a fairly typical and understandable reaction, it is the wrong thing to do. First, you run the very real chance of rendering your system inoperable, and second there are ransomware variants that if removed, will make it impossible to decrypt the files. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Startup: C:\Users\muham\AppData\Roaming\Microsoft\Credentials\2428593\muham.lnk [2020-01-21] ShortcutTarget: muham.lnk -> C:\Program Files (x86)\Seed Trade\Seed\seed.exe (No File) S3 VSScanner; system32\DRIVERS\vsscanner.sys [X] Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  3. @Reggia99 This is what happens when you use software cracks and software that bypasses activation & licensing checks. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. () [File not signed] C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe (@ByELDI -> @ByELDI) [File not signed] C:\Program Files\KMSpico\Service_KMS.exe HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [IDMan] => C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe /onboot HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => C:\Users\ELITE\AppData\Local\Temp\systm.exe .. [143360 2020-01-22] () [File not signed] <==== ATTENTION HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [SysHelper] => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed] Startup: C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe [2020-01-22] () [File not signed] CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION CHR HKU\S-1-5-21-2733843967-2851411726-668708617-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Task: {21E9A013-951F-4642-A689-7F41333D3333} - System32\Tasks\{EF8B4B0E-0DB2-43A6-9ADE-73E476E68F36} => C:\Windows\system32\pcalua.exe -a C:\Users\ELITE\Desktop\setup-antimalware-fix.exe -d C:\Users\ELITE\Desktop Task: {472C1014-5966-4056-A20F-4F7B661295D8} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [985792 2015-07-22] (@ByELDI -> @ByELDI) [File not signed] Task: {78B90FE6-5587-4ACB-ABFE-C1340D4F0660} - System32\Tasks\{F8B58B6D-37E2-43A1-BE2B-56E42B7BA52B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\idman519.exe" -d "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked" Task: {7F55E9F5-071D-4FAE-B034-FD43328A90A5} - System32\Tasks\vmdgiuqzkckchxb => msiexec.exe /quiet /i "C:\Users\ELITE\AppData\Roaming\porjbsuuomwf\mssypkgmnwzyolm.msi" WEBID=STAGE2_PM_P1 TKNME=vmdgiuqzkckchxb Task: {819F80EF-B423-4205-974E-6707E5F1783A} - System32\Tasks\gpjhsrnucvcet => msiexec.exe /quiet /i Task: {AD87446A-0A10-4CC5-AB4E-118C71A30045} - System32\Tasks\Time Trigger Task => C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe [780288 2019-09-17] () [File not signed] Task: {BD4595FB-CBE2-4833-9B45-886075F74421} - System32\Tasks\{1843AF6A-EE8C-4D5A-9FC9-B368A806F95B} => C:\Windows\system32\pcalua.exe -a "C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\Uninstall.exe" -d C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4 -c -instlsp1 Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(1): mshta.exe -> "http://update.drp.su/nps/offline/bin/tools/run.hta" "17.7.33 Offline" "1563949582624" "686e31f9-d09f-4a82-bf23-f84c513d7537" Task: {BDED1ECD-96F2-4850-8119-EE15B3E27E22} - System32\Tasks\DRPNPS => Command(2): SCHTASKS -> /Delete /TN DRPNPS /F Task: {FE6C6162-D3EA-43C8-B305-5E20A7BD8258} - System32\Tasks\{46222C45-E984-4CB4-A9BC-C57521D11103} => C:\Windows\system32\pcalua.exe -a G:\Encarta\ADMSETUP.EXE -d G:\Encarta Winsock: Catalog9 01 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 02 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 03 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 04 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 05 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 06 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 07 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 08 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 09 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 10 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) Winsock: Catalog9 22 C:\Windows\SysWOW64\idmmbc.dll [210352 2009-09-09] (Tonec Inc. -> Tonec Inc.) ManualProxies: 1http=127.0.0.1:61541;https=127.0.0.1:61541;socks=127.0.0.1:61540 BHO-x32: IDMIEHlprObj Class -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMIECC.dll [2010-04-26] (Tonec Inc. -> Tonec Inc.) FF user.js: detected! => C:\Users\ELITE\AppData\Roaming\Mozilla\Firefox\Profiles\a7fes3m2.default-release\user.js [2019-09-17] FF Plugin-x32: @adobe.com/AuthorwarePlayer -> C:\Windows\system32\Macromed\AUTHORWA\np32asw.dll [No File] FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1218158.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [No File] R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [985280 2015-07-22] (@ByELDI -> @ByELDI) [File not signed] ShellIconOverlayIdentifiers: [ IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => G:\Users\adewunmi\Desktop\IDM 5.19.2.0 Cracked\IDMShellExt64.dll -> No File FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe No File FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe No File FirewallRules: [TCP Query User{E666B5D1-4247-4B2A-8643-0390C147EBA8}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File FirewallRules: [UDP Query User{EB63A870-A908-44A0-8A49-97E0DAA73F72}C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe] => (Allow) C:\users\elite\desktop\drive\idm 5.19.2.0 cracked\crack\idman.exe No File FirewallRules: [{F97B1F60-6626-4333-951B-BD4BB4D1DAFD}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed] FirewallRules: [{2C42D19B-1022-42F1-8EA8-A7722217EAF1}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe (@ByELDI -> @ByELDI) [File not signed] C:\Program Files\KMSpico\AutoPico.exe C:\Program Files\KMSpico\KMSELDI.exe C:\Program Files\KMSpico\Service_KMS.exe C:\Program Files\KMSpico C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17\2179486260.exe C:\Users\ELITE\AppData\Local\338123c6-352c-461f-a93c-843e7e097e17 C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q\amix[1] C:\Users\ELITE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M40N380Q C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M\2f8a0fe3ae4f1ea2dbe95cd0da034588.exe C:\Users\ELITE\AppData\Local\Temp\2M1tQuSfQBFRqG3M C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup\winnm\winnm32.dll C:\Users\ELITE\AppData\Local\Temp\Framework_4_Setup C:\Users\ELITE\AppData\Local\Temp\KMSpico_setup.exe C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0\wyfdggb.exe C:\Users\ELITE\AppData\Local\Temp\V6D2jKN4QzeOrXp0 C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV\3830a7e784f597db266e22ead81fb058.exe C:\Users\ELITE\AppData\Local\Temp\WlT1v39p0CGVr3RV C:\Users\ELITE\AppData\Local\Temp\net.exe C:\Users\ELITE\AppData\Local\Temp\systm.exe C:\Users\ELITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5a712307fa1e2cbcc5e79fcd80d9f09d.exe C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\kms.exe C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator) C:\Users\ELITE\Desktop\softwares\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator) C:\Windows\System32\Tasks\Time Trigger Task C:\Windows\System32\Tasks\gpjhsrnucvcet C:\Windows\System32\Tasks\vmdgiuqzkckchxb C:\Windows\SysWOW64\idmmbc.dll C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK\IDMan.exe C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked\CRACK C:\Users\ELITE\Desktop\drive\IDM 5.19.2.0 Cracked C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE\testing_4 C:\Users\ELITE\AppData\Roaming\IDM\DwnlData\ELITE C:\Users\ELITE\AppData\Roaming\IDM\DwnlData C:\Users\ELITE\AppData\Roaming\IDM Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  4. @Reggia99 Whenever you have the two reports from FRST, I will review when I am able to. Usually, within a few hours of the logs being posted. However, it may take up to 24-hours before I can get to them.
  5. Hello @elhakim, Welcome to the Emsisoft Support Forums. What is the Personal ID in the Readme ransom note. Some variants of STOP are known to install malware to ensure that newly added files are encrypted. Let's make sure that there is not an active malware infection present, and if there is we can remove it. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  6. @Anbu Some STOP variants are known to install malware in order to ensure that newly added files are encrypted. Let's make sure the is no active malware infection present, and it there is then we can remove it. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  7. @ferko85 Let’s deal with the active malware infection before attempting to recover your files. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  8. Hello @Reggia99, Welcome to the Emsisoft Support Forums. Let's deal with the active malware infection before attempting to recover your files. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  9. Hello @COnsu1, Welcome to the Emsisoft Support Forums.
  10. @NKK The report system is not for making replies. Further abuse of the of the report system will result in a formal warning. Regardless of what you may or may not have read somewhere online, the presence of ransom notes all over the file system is not an indicator of the ID being an Offline ID. It is just what ransomware does. Your Personal ID of 0197nTsddDIwEtpIK6kgFIcX2WF5PL9Sluk6KBxQRzL7PUDOm is an Online ID and as such our tool is incapable of decrypting your files.
  11. Hello @E.H, Welcome to the Emsisoft Support Forums. The ID you supplied is an online ID, meaning that the files cannot be decrypted. An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. There is more information available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  12. No it is not feasible to reverse engineer the encryption key. Even if we had the world's most powerful super computer at our disposal it would not be able to crack the encryption algorithm anytime in the next couple hundred thousand years.
  13. Hello , Thank you for contacting Emsisoft Support. The ID you supplied is an online ID, meaning that the files cannot be decrypted. An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. There is more information available at the following link:
  14. @Hankash You can try using file recovery software, but expect it not to work. Depending on how much free space you have on your hard drive and the number of files that were encrypted it is entirely possible that any information referencing the original files in the file table has been overwritten and is not recoverable. Google search for file recovery software: https://www.google.com/search?client=firefox-b-1-d&q=file+recovery+software Google search for file recovery services: https://www.google.com/search?client=firefox-b-1-d&sxsrf=ACYBGNSlNFFV6G2BIbARhVNhb18Tter8UA%3A1579285173036&ei=tfohXpnrAcvbtAbfvbLQBA&q=file+recovery+services&oq=file+recovery+services&gs_l=psy-ab.3..0j0i22i30l7.76551.78286..79147...0.6..0.220.1201.0j7j1......0....1..gws-wiz.......0i71j0i67.9gMOHjKNupk&ved=0ahUKEwjZmfPdn4vnAhXLLc0KHd-eDEoQ4dUDCAo&uact=5 A word of caution file/data recovery services can be quite expensive. Another option is using a service like coveware to negotiate a lower ransom on your behalf. https://www.coveware.com/
  15. Hello @GIAN, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  16. Given enough time and resources, anything is possible. However, even the strongest super computer in use today will not be able to figure out the encryption key anytime in the next couple hundred thousand years.
  17. Hello @wpuerta, Welcome to the Emsisoft Support Forums. The ID you supplied is an online ID, meaning that the files cannot be decrypted. An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.
  18. Hello @Hankash, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  19. Hello @Shenouda, Welcome to the Emsisoft Support Forums. Your ID is an online ID, and as such we are incapable of decrypting the files. Unless, someone releases the private encryption keys, whether that be law enforcement, security researchers, or the criminals, then there is no way to decrypt the files at this time.
  20. All of what you describe can be done without disabling the AV. If disabling the AV is necessary because it trips on the driver, then were right back to my original statement. The problem is no the AV but the buggy driver and crappy coding. The advice to disable the AV is outdated and simply irresponsible of the party making the recommendation. Companies resort to that type of recommendation because they are too lazy to chase down the offending code and fix their code base.
  21. There is always the possibility that anti-virus software can interfere with an update. Disabling the AV should be that last thing you do and only as a last resort. Anybody who suggests disabling the AV before installing the update is covering the fact that their coders write crappy code, that will trigger an AV because, well it is crappy code.
  22. Hello @Jailson, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  23. Hello @japowell11, Welcome to the Emsisoft Support Forums. Let's make sure of what we're dealing with. Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note simultaneously for proper identification, and send me the information it provides: https://www.emsisoft.com/ransomware-decryption-tools/ Please be sure to read the information link on the results page, as whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery. You might try undelete software such as Recuva from Piriform, or if your files are very important, it may be worth talking to a company that specializes in negotiating with the criminals that created the ransomware, such as Coveware, at https://www.coveware.com/. They are one of the few companies that do this completely transparently and honestly. If the identification process shows a ransomware that is not decryptable, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice.
  24. Hello @meet, Welcome to the Emsisoft Support Forums. If our decrypter was unable to determine the encryption keys for your encrypted files, then there is no way to decrypt the files without paying the ransom. Which is not something we recommend you do, unless you have no other choice.