Kevin Zoll

Emsisoft Employee
  • Content Count

    18810
  • Joined

  • Last visited

  • Days Won

    177

Posts posted by Kevin Zoll


  1. @Reggia99, the STOP log show that IDM is managing the STOP Decrypters connection to our servers.

    I would like for you to run another tool.

    Download AdwCleaner and save it on your Desktop.

    1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
    2. Double click on adwcleaner.exe to run the tool.
    3. Click on the Scan button.
    4. After the scan has finished, click on the Clean button.
    5. Confirm each time with OK.
    6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop.
    7. Attach that log file to your reply.

     

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.


  2. Hello @Obi,

     

    Welcome to the Emsisoft Support Forums.

     

    Hello #{ticket.customer.firstname}, 

    Thank you for contacting Emsisoft Support.

    REHA is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the REHA variant of STOP/DJVU.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

    • Upvote 1

  3. 4 hours ago, SONU GUPTA said:

    Last I used stop djvu than show unable to decrypt old variant ID EO5cjlA1HBgOrsXLyaDMZGKREGmlfLtUGLejF9FC

    That is an Online Key.  The decryption key for that ID is in the possession of the cyber-criminal responsible for encrypting your files.  It is not possible to decrypt your files using third-party decryption tools.


  4. Do the following:

     

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

     

    GroupPolicy: Restriction ? <==== ATTENTION
    Task: {000BC7BA-E648-4FAC-988F-0A94FED38478} - \Microsoft\Windows\Setup\EOONotify -> No File <==== ATTENTION
    Task: {04D9A4B7-0510-4B2D-917B-7457E5015C56} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
    Task: {1F390734-6B2B-4CDA-B31E-375FE145FFC3} - \Games\UpdateCheck_S-1-5-21-4224017519-229722566-3410020428-1004 -> No File <==== ATTENTION
    Task: {231F1743-A734-4739-A954-2E31F344BC9D} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
    Task: {2B70B19B-D492-475B-B616-3BB8FE69134B} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
    Task: {48D99643-C319-4963-BAD7-47C0B97AA3E5} - System32\Tasks\HPPSdr Restart Diagnose => C:\Users\Bruce\AppData\Local\Temp\7zS2184\HPDiagnosticCoreUI.exe <==== ATTENTION
    Task: {498C74A7-EF67-4DB9-9483-4F4CEA4E6B21} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
    Task: {5B5B5B7D-D26B-49B2-8791-445D18B9A711} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
    Task: {5D707D18-0930-4FDB-A7A9-49A30EA869DC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
    Task: {5FC7D977-F82D-4516-9C75-B0A14925E401} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
    Task: {613B92E1-6470-4922-AC41-B5DF25743DAE} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
    Task: {621D5D6A-9911-4BD8-B032-4EA67D8D0BD1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
    Task: {7235214D-F3EF-4181-8D95-FF214E83EAD5} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
    Task: {76C0CBAF-011E-4FB8-8B48-25EBE25657AD} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
    Task: {7DA54035-3293-4E7F-9D27-C5A5E5EA5244} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
    Task: {7E8FBE30-E0BD-40F9-B4DA-5AC5F621B8DE} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
    Task: {96C84661-83E8-4DC6-BD68-74258DB09B6C} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
    Task: {AB94CF6F-677F-4E22-8C30-7F91F4C731D2} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
    Task: {B978DD93-83C5-4959-8AC7-1C0794AB07A0} - \ConfigFree Startup Programs -> No File <==== ATTENTION
    Task: {C72CD31F-498E-4D60-8871-45FC23EAB102} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
    Task: {D5CCF18A-ED75-4C9F-832D-B756C412FF0E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
    URLSearchHook: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
    SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> DefaultScope {623DDCA9-52C8-4518-A331-434895817817} URL =
    SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> {42E2D4FE-AA33-4C6A-9F56-CF8A0EA049FA} URL =
    SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1001 -> {623DDCA9-52C8-4518-A331-434895817817} URL =
    SearchScopes: HKU\S-1-5-21-4224017519-229722566-3410020428-1003 -> {623DDCA9-52C8-4518-A331-434895817817} URL =
    BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File
    BHO-x32: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Bruce\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Ian\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
    CustomCLSID: HKU\S-1-5-21-4224017519-229722566-3410020428-1003_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll => No File
    ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
    ContextMenuHandlers1_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ContextMenuHandlers4_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ContextMenuHandlers5_S-1-5-21-4224017519-229722566-3410020428-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ContextMenuHandlers1_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ContextMenuHandlers4_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File
    ContextMenuHandlers5_S-1-5-21-4224017519-229722566-3410020428-1003: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Bruce\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll -> No File

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    Clear Firefox's browser cache.

     

    Also, let me know how the machine is running now, and what remaining issues you've noticed.


  5. 29 minutes ago, MrSalazar said:

    My task manager still doesn't keep open, it keeps closing.

    We may have to deal with that issue separately.

    29 minutes ago, MrSalazar said:

    - Is it safe to connect to the internet now and try to use decryptor?

    Yes, you can reconnect to the Internet and try the decrypter.  Which, likely will not be able to decrypt the files.

    29 minutes ago, MrSalazar said:

    - My games aren't encrypted. I think it's because the format of the files is unique and not very common. Is it safe to play them?

    I do not see a reason why you couldn't

    29 minutes ago, MrSalazar said:

    - Should I reset my browsers?

    That is entirely up to you, but wouldn't hurt to do so.

    • Like 1

  6. @MrSalazar

     

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

     

    HKLM\...\Run: [] => [X]
    HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Run: [] => [X]
    HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\system: [shell] explorer.exe <==== ATENÇÃO
    HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
    HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181acd-894f-11e9-b1d4-20e216001ecf} - "F:\AutoRun.exe"
    HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {1d181d76-894f-11e9-b1d4-7085c2aa6cc5} - "D:\AutoRun.exe"
    HKU\S-1-5-21-4279104284-4029660985-1505193530-1001\...\MountPoints2: {cfb6d8ee-8986-11e9-b1d7-20e216001ecf} - "F:\AutoRun.exe"
    GroupPolicy: Restrição ? <==== ATENÇÃO
    GroupPolicy\User: Restrição ? <==== ATENÇÃO
    "{45487F67-EC9F-4449-A6F2-2D0970F9B80B}" => serviço não pode ser desbloqueado. <==== ATENÇÃO
    HKLM\SYSTEM\ControlSet001\Services\{45487F67-EC9F-4449-A6F2-2D0970F9B80B} => C:\Windows\System32\drivers\Wdf31419.sys [6504336 2020-01-22] (Acesso Negado)  [Arquivo não assinado] <==== ATENÇÃO (Rootkit!/Serviço Bloqueado)
    2020-01-22 21:59 - 2020-01-22 21:59 - 000072816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\jbaiauzd.sys
    2020-01-22 21:57 - 2020-01-22 21:57 - 000000000 ____D C:\Users\Pichau\AppData\Local\a7a7b24c-53b1-45a4-9de3-3496627ae5b5
    2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\Users\Todos os Usuários\DJIVBC20R7P925SAWG1XFZRR5
    2020-01-22 17:37 - 2020-01-22 22:19 - 000000000 ____D C:\ProgramData\DJIVBC20R7P925SAWG1XFZRR5
    2020-01-22 17:37 - 2020-01-22 21:52 - 006504336 ____N C:\Windows\system32\Drivers\Wdf31419.sys
    2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\ProgramData\lock.dat
    2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\ProgramData\rc.dat
    2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\ProgramData\ts.dat
    2020-01-22 18:56 - 2020-01-22 22:52 - 000000004 _____ () C:\Users\Todos os Usuários\lock.dat
    2020-01-22 21:53 - 2020-01-22 21:53 - 000000004 _____ () C:\Users\Todos os Usuários\rc.dat
    2020-01-22 18:56 - 2020-01-22 18:56 - 000000008 _____ () C:\Users\Todos os Usuários\ts.dat
    2020-01-21 01:09 - 2020-01-22 01:38 - 000000070 _____ () C:\Users\Pichau\AppData\Local\update_progress.txt
    2019-10-02 07:39 - 2019-10-02 07:39 - 000000000 _____ () C:\Users\Pichau\AppData\Local\{A3B36C9E-4F22-40E4-B5B9-9ACD996B2450}
    2020-01-22 21:52 C:\Windows\system32\Drivers\Wdf31419.sys

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    Also, let me know how the machine is running now, and what remaining issues you've noticed.

    • Like 1

  7. @vikram chavan

    That extension is used by STOP(Djvu). Unfortunately, STOP(Djvu) was updated recently, and we no longer have any method to decrypt this ransomware unless the encryption occurred some time ago, before the 29th of August 2019.

     

    Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

     

    Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

    For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation.

    While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware.

    Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation.

    Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.


  8. Hello @Benjie,

     

    Welcome to the Emsisoft Support Forums.

     

     

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

     

    () [File not signed] C:\Users\Benjie Santiago\AppData\Roaming\Vysor\crx\gidgenkbbabolejbgbpnhbimgjbffefm\app-2.2.6.crx-unpacked\native\win32\adb.exe
    HKLM\...\Policies\Explorer: [ConfirmFileDelete] 0
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
    Startup: C:\Users\Benjie Santiago\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stay On Top.lnk [2019-12-16]
    ShortcutTarget: Stay On Top.lnk -> C:\Users\Benjie Santiago\AppData\Roaming\Microsoft\Installer\{5C6C0192-BA75-4932-8931-B2FF88346E49}\_16dd6dc4.exe (No File)
    GroupPolicy: Restriction ? <==== ATTENTION
    BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
    BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
    2020-01-20 09:23 - 2019-10-22 03:51 - 000002930 _____ C:\Windows\e.bat
    2020-01-20 09:23 - 2019-07-31 00:00 - 000004608 _____ () C:\Windows\e.exe
    2020-01-20 08:58 - 2020-01-20 08:58 - 000000028 _____ C:\Windows\tmp_lkdj23df2
    2020-01-20 08:56 - 2020-01-20 12:28 - 000000000 ____D C:\Users\Benjie Santiago\AppData\Roaming\n240ko045ti
    2020-01-20 08:48 - 2020-01-20 08:49 - 000000000 ____D C:\ProgramData\2PR6BV9QD1I9BK42OVFZPW1LF
    2020-01-20 08:48 - 2020-01-20 08:48 - 000000049 _____ C:\Users\Benjie Santiago\AppData\Local\script.ps1
    2020-01-20 08:47 - 2020-01-20 12:28 - 000000000 ____D C:\Users\Benjie Santiago\AppData\Roaming\eytfih1ylk5
    2020-01-20 08:47 - 2020-01-20 08:47 - 000000000 ____D C:\ProgramData\{FB162844-05BE-A566-C618-E529C6FFBC78}
    2020-01-20 08:47 - 2020-01-20 08:47 - 000000000 ____D C:\ProgramData\{66F458D0-752A-3884-5268-07B4528F5EE5}
    2020-01-20 08:48 - 2020-01-20 08:48 - 000137168 _____ (Mozilla Foundation) C:\ProgramData\mozglue.dll
    2020-01-20 08:48 - 2020-01-20 08:48 - 001246160 _____ (Mozilla Foundation) C:\ProgramData\nss3.dll
    2020-01-25 07:58 - 2020-01-25 07:58 - 000000000 _____ () C:\Users\Benjie Santiago\AppData\Roaming\{76BE5B84-EB32-45DC-9563-2E5604DC949B}
    2020-01-20 08:48 - 2020-01-20 08:48 - 000000049 _____ () C:\Users\Benjie Santiago\AppData\Local\script.ps1
    AlternateDataStreams: C:\Users\Benjie Santiago:.repos [6042670]

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    Also, let me know how the machine is running now, and what remaining issues you've noticed.

    • Like 1

  9.  

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

     

    C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242\EC67.tmp.exe
    C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242
    C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2\dreamtrips_mix1.exe
    C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2
    C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\0ZnTo1JjqgmJNDsv8MsX.exe
    C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\eJw05ABKDl=.exe
    C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5
    C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf\fish.exe
    C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf
    C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln\ytbticket.exe
    C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln
    C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim\forinstalls.exe
    C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim
    C:\Windows\windows.vbs

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    Also, let me know how the machine is running now, and what remaining issues you've noticed.

    • Like 1

  10. @Reggia99

     

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

     

    (Psiphon Inc. -> ) C:\Users\ELITE\Downloads\psiphon3(1).exe.orig
    HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => "C:\Users\ELITE\AppData\Local\Temp\systm.exe" .. <==== ATTENTION
    2020-01-24 11:54 - 2020-01-24 11:58 - 006978160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe
    2020-01-24 11:54 - 2020-01-24 11:55 - 006658160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe.orig
    2020-01-20 14:24 - 2020-01-24 11:58 - 000000000 ____D C:\Users\ELITE\AppData\Roaming\Psiphon3

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    Also, let me know how the machine is running now, and what remaining issues you've noticed.

    • Like 1

  11. @akin

    The ID is any offline ID.  The only way to know if it is decryptable or not is to run the decryption tool.

     

    Please refer to this blog post for information about a decrypter that may work, and also for support instructions if it does not: https://blog.emsisoft.com/en/34375/emsisoft-releases-new-decryptor-for-stop-djvu-ransomware/

     

    Quite a lot more information about STOP(Djvu) can be found here: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

    For STOP related support, please read our blog post about the tool. The section marked "Community collaboration" explains how to get support in this situation.

    While it is very rare that it helps, you might try using undelete software, or if your files are very important it may be worth talking to a company that specializes in ransomware negotiation and will communicate on your behalf with the criminals that created the ransomware.

    Exercise a bit of caution when looking for a company to help, though. Generally speaking, if a company claims to be able to decrypt files that were encrypted by a type of ransomware for which no decryption tool is publicly available, that company is probably just going to pay the ransom and charge you more than you would have paid if you had dealt with the criminals directly. Better is to search for companies that specialize in ransomware negotiation.

    Again, if the STOP(Djvu) decrypter does not decrypt any of the encrypted files, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice. choice.