Kevin Zoll

Emsisoft Employee
  • Content Count

    18821
  • Joined

  • Last visited

  • Days Won

    177

Everything posted by Kevin Zoll

  1. Hello @ROSARIO, Welcome to the Emsisoft Support Forums. Your logs show no malware. Unless we are alerting on the Mozilla Firefox uninstaller, this is an issue that should be taken up with Mozilla.
  2. Ian, Please do not respond to the email notification as it not connected with our forum software and we normally will not see your reply. Emsisoft is mostly likely locked down with a password and has restrictions preventing someone without permissions from altering settings and deleting stuff that they are not allowed to delete. Unless, you know the admin password to EAM or running it from and admin account they you will not have access to those options.
  3. @Amr Zizo The personal ID in the ransom note is an Online ID which means that your files cannot be decrypted using that ID. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the NOSU variant of STOP/DJVU. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  4. KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU. Any hacker telling you they can decrypt your files is either lying or they are the ones who encrypted your files in the first place. This variant makes use of the RSA encryption algorithm. If implemented correctly and it is a least 1024-bit encryption it is unbreakable using today's technology. Theoretically RSA-1024 is breakable, but none of us will still be alive when it is successfully broken. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  5. @Joker(Whysoserious?) TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.
  6. Hello @iantot, Thank you for contacting Emsisoft Support. That is not an error. Our decryption tool was unable to find a decryption key for that ID. Files encrypted with an Online ID means that the file(s) were encrypted with an encryption that was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those encryption keys and therefore they are not in our database of encryption keys.
  7. @Reggia99 There are a few different IDs in that log, both online and offline. The ones with an Offline ID may be able to be decrypted in the future, we just do not have a decryption key for that ID in our database at this time. The files with Online Ids there is nothing that can be done at this time. Run the decrypter every couple of weeks are so, in the event that we have added the Offline key in your log to our database.
  8. The file is most likely a JavaScript that was downloaded to the browser cache when FireFox loaded it and try to run it, Probably an attempt to compromise your system when you opened the email attachment. I didn't see any malware in the FRST logs, but there was a lot of orphaned stuff and policy restrictions that are not set by default. Which is what I had FRST fix.
  9. Hello @SalasKafa, Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.
  10. @Reggia99, the STOP log show that IDM is managing the STOP Decrypters connection to our servers. I would like for you to run another tool. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
  11. Hello @Obi, Welcome to the Emsisoft Support Forums. Hello #{ticket.customer.firstname}, Thank you for contacting Emsisoft Support. REHA is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the REHA variant of STOP/DJVU. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  12. Hello @dfarn26, Thank you for contacting Emsisoft Support. This is very likely DHARMA(CrySiS). Unfortunately, there is no way to decrypt your files using third-party tools.
  13. That variant is newer as well and not supported by our decryption tool. This advice applies to .topi and well.
  14. Uninstall Internet Download Manager. You are using a cracked version anyway and some of its files have been encrypted.
  15. That is an Online Key. The decryption key for that ID is in the possession of the cyber-criminal responsible for encrypting your files. It is not possible to decrypt your files using third-party decryption tools.
  16. Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. GroupPolicy: Restriction ? <==== ATTENTION Task: {000BC7BA-E648-4FAC-988F-0A94FED38478} - \Microsoft\Windows\Setup\EOONotify -> No File <==== ATTENTION Task: {04D9A4B7-0510-4B2D-917B-7457E5015C56} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION Task: {1F390734-6B2B-4CDA-B31E-375FE145FFC3} - \Games\UpdateCheck_S-1-5-21-4224017519-229722566-3410020428-1004 -> No File <==== ATTENTION Task: {231F1743-A734-4739-A954-2E31F344BC9D} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {2B70B19B-D492-475B-B616-3BB8FE69134B} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION Task: {48D99643-C319-4963-BAD7-47C0B97AA3E5} - System32\Tasks\HPPSdr Restart Diagnose => C:\Users\Bruce\AppData\Local\Temp\7zS2184\HPDiagnosticCoreUI.exe <==== ATTENTION Task: {498C74A7-EF67-4DB9-9483-4F4CEA4E6B21} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {5B5B5B7D-D26B-49B2-8791-445D18B9A711} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {5D707D18-0930-4FDB-A7A9-49A30EA869DC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {5FC7D977-F82D-4516-9C75-B0A14925E401} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {613B92E1-6470-4922-AC41-B5DF25743DAE} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {621D5D6A-9911-4BD8-B032-4EA67D8D0BD1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {7235214D-F3EF-4181-8D95-FF214E83EAD5} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION Task: {76C0CBAF-011E-4FB8-8B48-25EBE25657AD} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION Task: {7DA54035-3293-4E7F-9D27-C5A5E5EA5244} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {7E8FBE30-E0BD-40F9-B4DA-5AC5F621B8DE} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {96C84661-83E8-4DC6-BD68-74258DB09B6C} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION Task: {AB94CF6F-677F-4E22-8C30-7F91F4C731D2} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {B978DD93-83C5-4959-8AC7-1C0794AB07A0} - \ConfigFree Startup Programs -> No File <==== ATTENTION Task: {C72CD31F-498E-4D60-8871-45FC23EAB102} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION Task: {D5CCF18A-ED75-4C9F-832D-B756C412FF0E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION URLSearchHook: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> DefaultScope {623DDCA9-52C8-4518-A331-434895817817} URL = SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> {42E2D4FE-AA33-4C6A-9F56-CF8A0EA049FA} URL = SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> {623DDCA9-52C8-4518-A331-434895817817} URL = SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1003 -> {623DDCA9-52C8-4518-A331-434895817817} URL = BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File BHO-x32: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File ContextMenuHandlers1_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers4_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers5_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers1_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers4_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File ContextMenuHandlers5_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Clear Firefox's browser cache. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  17. Those are offline keys. Now for the bad news. STOP/DJVU KODC is a newer variant and as such there currently is no method to recover the encrypted files.
  18. FRST needs to be ran from an account with administrative privileges, otherwise it will not function properly. Please run FRST from an admin account and attach the new reports to your reply.
  19. Please make sure you have the latest version of .NET Framework installed on your computer.
  20. We may have to deal with that issue separately. Yes, you can reconnect to the Internet and try the decrypter. Which, likely will not be able to decrypt the files. I do not see a reason why you couldn't That is entirely up to you, but wouldn't hurt to do so.
  21. @Benjie Go ahead and run the decryption tool https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu KODC is a newer variant of the STOP/DJVU family of ransomware and as such our decryption tool will not be able to decrypt the files. What is will do is determine the ID used to encrypt your files. Please post that ID to your reply.
  22. @Reggia99 Run the decrypter again and if you get an error message again, click the button next to "View problem details" to expand the details box. That should contain the details necessary to figure out why it crashed.
  23. @MrSalazar Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Run: [] => [X] HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\system: [shell] explorer.exe <==== ATENÇÃO HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1 HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181acd-894f-11e9-b1d4-20e216001ecf} - "F:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181d76-894f-11e9-b1d4-7085c2aa6cc5} - "D:\AutoRun.exe" HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {cfb6d8ee-8986-11e9-b1d7-20e216001ecf} - "F:\AutoRun.exe" GroupPolicy: Restrição ? <==== ATENÇÃO GroupPolicy\User: Restrição ? <==== ATENÇÃO "{45487F67-EC9F-4449-A6F2-2D0970F9B80B}" => serviço não pode ser desbloqueado. <==== ATENÇÃO HKLM\SYSTEM\ControlSet001\Services\{45487F67-EC9F-4449-A6F2-2D0970F9B80B} => C:\Windows\System32\drivers\Wdf31419.sys [6504336 2020-01-22] (Acesso Negado) [Arquivo não assinado] <==== ATENÇÃO (Rootkit!/Serviço Bloqueado) 2020-01-22 21:59 - 2020-01-22 21:59 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\jbaiauzd.sys 2020-01-22 21:57 - 2020-01-22 21:57 - 000000000 ____D C:\Users\Pichau\AppData\Local\a7a7b24c-53b1-45a4-9de3-3496627ae5b5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\Users\Todos os Usuários\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\ProgramData\DJIVBC20R7P925SAWG1XFZRR5 2020-01-22 17:37 - 2020-01-22 21:52 - 006504336 ____N C:\Windows\system32\Drivers\Wdf31419.sys 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\ProgramData\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\ProgramData\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\ProgramData\ts.dat 2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\Users\Todos os Usuários\lock.dat 2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\Users\Todos os Usuários\rc.dat 2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\Users\Todos os Usuários\ts.dat 2020-01-21 01:09 - 2020-01-22 01:38 - 000000070 _____ () C:\Users\Pichau\AppData\Local\update_progress.txt 2019-10-02 07:39 - 2019-10-02 07:39 - 000000000 _____ () C:\Users\Pichau\AppData\Local\{A3B36C9E-4F22-40E4-B5B9-9ACD996B2450} 2020-01-22 21:52 C:\Windows\system32\Drivers\Wdf31419.sys Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  24. @TangoTen That warning is incorrect with regards to FRST. You can tell Chrome to keep the file. If you are not offered that option then you need to alter the download setting for chrome.