Kevin Zoll

Emsisoft Employee
  • Content Count

    18781
  • Joined

  • Last visited

  • Days Won

    177

Everything posted by Kevin Zoll

  1. That is an Online Key. The decryption key for that ID is in the possession of the cyber-criminal responsible for encrypting your files. It is not possible to decrypt your files using third-party decryption tools.
  2. Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. GroupPolicy: Restriction ? <==== ATTENTION Task: {000BC7BA-E648-4FAC-988F-0A94FED38478} - \Microsoft\Windows\Setup\EOONotify -> No File <==== ATTENTION Task: {04D9A4B7-0510-4B2D-917B-7457E5015C56} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION Task: {1F390734-6B2B-4CDA-B31E-375FE145FFC3} - \Games\UpdateCheck_S-1-5-21-4224017519-229722566-3410020428-1004 -> No File <==== ATTENTION Task: {231F1743-A734-4739-A954-2E31F344BC9D} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {2B70B19B-D492-475B-B616-3BB8FE69134B} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION Task: {48D99643-C319-4963-BAD7-47C0B97AA3E5} - System32\Tasks\HPPSdr Restart Diagnose => C:\Users\Bruce\AppData\Local\Temp\7zS2184\HPDiagnosticCoreUI.exe <==== ATTENTION Task: {498C74A7-EF67-4DB9-9483-4F4CEA4E6B21} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {5B5B5B7D-D26B-49B2-8791-445D18B9A711} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {5D707D18-0930-4FDB-A7A9-49A30EA869DC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {5FC7D977-F82D-4516-9C75-B0A14925E401} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {613B92E1-6470-4922-AC41-B5DF25743DAE} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {621D5D6A-9911-4BD8-B032-4EA67D8D0BD1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {7235214D-F3EF-4181-8D95-FF214E83EAD5} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION Task: {76C0CBAF-011E-4FB8-8B48-25EBE25657AD} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION Task: {7DA54035-3293-4E7F-9D27-C5A5E5EA5244} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {7E8FBE30-E0BD-40F9-B4DA-5AC5F621B8DE} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {96C84661-83E8-4DC6-BD68-74258DB09B6C} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION Task: {AB94CF6F-677F-4E22-8C30-7F91F4C731D2} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {B978DD93-83C5-4959-8AC7-1C0794AB07A0} - \ConfigFree Startup Programs -> No File <==== ATTENTION Task: {C72CD31F-498E-4D60-8871-45FC23EAB102} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION Task: {D5CCF18A-ED75-4C9F-832D-B756C412FF0E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION URLSearchHook: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> DefaultScope {623DDCA9-52C8-4518-A331-434895817817} URL = SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> {42E2D4FE-AA33-4C6A-9F56-CF8A0EA049FA} URL = SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> {623DDCA9-52C8-4518-A331-434895817817} URL = SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1003 -> {623DDCA9-52C8-4518-A331-434895817817} URL = BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File BHO-x32: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File ContextMenuHandlers1_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers4_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers5_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers1_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers4_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers5_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Clear Firefox's browser cache. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  3. Those are offline keys. Now for the bad news. STOP/DJVU KODC is a newer variant and as such there currently is no method to recover the encrypted files.
  4. FRST needs to be ran from an account with administrative privileges, otherwise it will not function properly. Please run FRST from an admin account and attach the new reports to your reply.
  5. Please make sure you have the latest version of .NET Framework installed on your computer.
  6. We may have to deal with that issue separately. Yes, you can reconnect to the Internet and try the decrypter. Which, likely will not be able to decrypt the files. I do not see a reason why you couldn't That is entirely up to you, but wouldn't hurt to do so.
  7. @Benjie Go ahead and run the decryption tool https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu KODC is a newer variant of the STOP/DJVU family of ransomware and as such our decryption tool will not be able to decrypt the files. What is will do is determine the ID used to encrypt your files. Please post that ID to your reply.
  8. @Reggia99 Run the decrypter again and if you get an error message again, click the button next to "View problem details" to expand the details box. That should contain the details necessary to figure out why it crashed.
  9. @MrSalazar Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\system: [shell] explorer.exe <==== ATENÇÃO HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1 HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181acd-894f-11e9-b1d4-20e216001ecf} - "F:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181d76-894f-11e9-b1d4-7085c2aa6cc5} - "D:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {cfb6d8ee-8986-11e9-b1d7-20e216001ecf} - "F:\AutoRun.exe" GroupPolicy: Restrição ? <==== ATENÇÃO GroupPolicy\User: Restrição ? <==== ATENÇÃO "{45487F67-EC9F-4449-A6F2-2D0970F9B80B}" => serviço não pode ser desbloqueado. <==== ATENÇÃO HKLM\SYSTEM\ControlSet001\Services\{45487F67-EC9F-4449-A6F2-2D0970F9B80B} => C:\Windows\System32\drivers\Wdf31419.sys [6504336 2020-01-22] (Acesso Negado) [Arquivo não assinado] <==== ATENÇÃO (Rootkit!/Serviço Bloqueado) 2020-01-22 21:59 - 2020-01-22 21:59 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\jbaiauzd.sys 2020-01-22 21:57 - 2020-01-22 21:57 - 000000000 ____D C:\Users\Pichau\AppData\Local\a7a7b24c-53b1-45a4-9de3-3496627ae5b5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\Users\Todos os Usuários\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\ProgramData\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 21:52 - 006504336 ____N C:\Windows\system32\Drivers\Wdf31419.sys 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\ProgramData\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\ProgramData\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\ProgramData\ts.dat 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\Users\Todos os Usuários\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\Users\Todos os Usuários\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\Users\Todos os Usuários\ts.dat 2020-01-21 01:09 - 2020-01-22 01:38 - 000000070 _____ () C:\Users\Pichau\AppData\Local\update_progress.txt 2019-10-02 07:39 - 2019-10-02 07:39 - 000000000 _____ () C:\Users\Pichau\AppData\Local\{A3B36C9E-4F22-40E4-B5B9-9ACD996B2450} 2020-01-22 21:52 C:\Windows\system32\Drivers\Wdf31419.sys Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  10. @TangoTen That warning is incorrect with regards to FRST. You can tell Chrome to keep the file. If you are not offered that option then you need to alter the download setting for chrome.
  11. @athul Your personal ID: 0198nTsddS3wnrGHb25jELGAwoOjfGDAONcPEMy6oijuyR0a5 This is an online ID and as such our decryption tool cannot decrypt files that were encrypted using an online ID.
  12. @vikram chavan That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  13. Hello @Benjie, Welcome to the Emsisoft Support Forums. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. () [File not signed] C:\Users\Benjie Santiago\AppData\Roaming\Vysor\crx\gidgenkbbabolejbgbpnhbimgjbffefm\app-2.2.6.crx-unpacked\native\win32\adb.exe HKLM\...\Policies\Explorer: [ConfirmFileDelete] 0 HKLM\...\Policies\Explorer: [HideSCAHealth] 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION Startup: C:\Users\Benjie Santiago\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stay On Top.lnk [2019-12-16] ShortcutTarget: Stay On Top.lnk -> C:\Users\Benjie Santiago\AppData\Roaming\Microsoft\Installer\{5C6C0192-BA75-4932-8931-B2FF88346E49}\_16dd6dc4.exe (No File) GroupPolicy: Restriction ? <==== ATTENTION BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File 2020-01-20 09:23 - 2019-10-22 03:51 - 000002930 _____ C:\Windows\e.bat 2020-01-20 09:23 - 2019-07-31 00:00 - 000004608 _____ () C:\Windows\e.exe 2020-01-20 08:58 - 2020-01-20 08:58 - 000000028 _____ C:\Windows\tmp_lkdj23df2 2020-01-20 08:56 - 2020-01-20 12:28 - 000000000 ____D C:\Users\Benjie Santiago\AppData\Roaming\n240ko045ti 2020-01-20 08:48 - 2020-01-20 08:49 - 000000000 ____D C:\ProgramData\2PR6BV9QD1I9BK42OVFZPW1LF 2020-01-20 08:48 - 2020-01-20 08:48 - 000000049 _____ C:\Users\Benjie Santiago\AppData\Local\script.ps1 2020-01-20 08:47 - 2020-01-20 12:28 - 000000000 ____D C:\Users\Benjie Santiago\AppData\Roaming\eytfih1ylk5 2020-01-20 08:47 - 2020-01-20 08:47 - 000000000 ____D C:\ProgramData\{FB162844-05BE-A566-C618-E529C6FFBC78} 2020-01-20 08:47 - 2020-01-20 08:47 - 000000000 ____D C:\ProgramData\{66F458D0-752A-3884-5268-07B4528F5EE5} 2020-01-20 08:48 - 2020-01-20 08:48 - 000137168 _____ (Mozilla Foundation) C:\ProgramData\mozglue.dll 2020-01-20 08:48 - 2020-01-20 08:48 - 001246160 _____ (Mozilla Foundation) C:\ProgramData\nss3.dll 2020-01-25 07:58 - 2020-01-25 07:58 - 000000000 _____ () C:\Users\Benjie Santiago\AppData\Roaming\{76BE5B84-EB32-45DC-9563-2E5604DC949B} 2020-01-20 08:48 - 2020-01-20 08:48 - 000000049 _____ () C:\Users\Benjie Santiago\AppData\Local\script.ps1 AlternateDataStreams: C:\Users\Benjie Santiago:.repos [6042670] Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  14. @Vicky You just click the fix button once and it will load fixlist.txt and run the contents of the file. If it does not run make sure that both FRST and fixilist.txt are actually in the same folder with each other.
  15. This is an online ID. As such your files encrypted with an online ID cannot be decrypted.
  16. Everything should be It should be OK to try the STOP decrypter.
  17. The active infection should be gone, but I want to take another look. Run a fresh scan with FRST and attach the new FRST reports to your reply.
  18. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242\EC67.tmp.exe C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242 C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2\dreamtrips_mix1.exe C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2 C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\0ZnTo1JjqgmJNDsv8MsX.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\eJw05ABKDl=.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5 C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf\fish.exe C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln\ytbticket.exe C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim\forinstalls.exe C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim C:\Windows\windows.vbs Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  19. @Reggia99 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. (Psiphon Inc. -> ) C:\Users\ELITE\Downloads\psiphon3(1).exe.orig HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => "C:\Users\ELITE\AppData\Local\Temp\systm.exe" .. <==== ATTENTION 2020-01-24 11:54 - 2020-01-24 11:58 - 006978160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe 2020-01-24 11:54 - 2020-01-24 11:55 - 006658160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe.orig 2020-01-20 14:24 - 2020-01-24 11:58 - 000000000 ____D C:\Users\ELITE\AppData\Roaming\Psiphon3 Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  20. @akin The ID is any offline ID. The only way to know if it is decryptable or not is to run the decryption tool. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  21. @MrSalazar Screenshots are of no use to us when it comes to extracting the data necessary to form a fix. Please attach the EEK scan report to your reply.
  22. Hello @babisk, Welcome to the Emsisoft Support Forums. The ID you provided is an online ID and as such files that were encrypted with an online ID cannot be decrypted using third-party decryption tools.
  23. @Ali Raza It is not possible to decrypt STOP/DJVU encrypted files that were encrypted with an Online ID using third-party decryption tools, unless the decryption service was able to obtain the decryption key. Anyone who claims to be able to decrypt files that no one has publicly released a free decryption tool is either the criminals themselves or working with the criminals. Who did you send your files to?
  24. Hello, Welcome to the Emsisoft Support Forums. That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019. Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/ Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation. While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware. Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation. Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.
  25. @Vicky I replied to your support thread just a bit ago. See my instructions in my reply to your post in that thread.