Jump to content

ShadowPuterDude

Emsisoft Employee
  • Posts

    19502
  • Joined

  • Last visited

  • Days Won

    201

Everything posted by ShadowPuterDude

  1. Hello @peni, Welcome to the Emsisoft Support Forums. I understand it is frustrating, but currently, we are not aware of any ways to decrypt files with Online-ID and some recent forms of STOP(DJVU). Please read this Topic. It contains information about your situation and whether or not your files can be decrypted. https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  2. Hello @Syukri85, Welcome to the Emsisoft Support Forums. I understand it is frustrating, but currently, we are not aware of any ways to decrypt files with Online-ID and some recent forms of STOP(DJVU). Please read this Topic. It contains information about your situation and whether or not your files can be decrypted. https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  3. (KB2504637 is a .NET update. I was planning on running Tronscript which I found out about from this video: Don't you will waste 10-12 hours of your time that you will never get back. TRON is the kitchen sink approach to malware removal. Nobody in the online security community uses it for a reason. WVV0R7I3W.tmp is still appearing in System32 folder Run a fresh scan with FRST, attach the new FRST reports to your reply.
  4. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-370668094-1905685230-1647023283-1001\...\Run: [AdobeBridge] => [X] HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{73FA19D0-2D75-11D2-995D-00C04F98BBC9}] -> AppInit_DLLs-x32: C:\PROGRA~1\COMMON~1\System\symsrv.dll => C:\Program Files\Common Files\System\symsrv.dll [69337 2021-10-14] (Microsoft Corporation) [File not signed] <==== ATTENTION IFEO\osppsvc.exe: [Debugger] rundll32.exe SppExtComObjHook.dll,PatcherMain IFEO\SppExtComObj.exe: [Debugger] rundll32.exe SppExtComObjHook.dll,PatcherMain GroupPolicy: Restriction ? <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION Task: {FC531EE0-7EDF-4258-B99D-B6FFA3515AC2} - System32\Tasks\KMSAutoNet => C:\ProgramData\KMSAutoS\KMSAuto Net.exe Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found] Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found] Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found] Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found] FirewallRules: [{004A0256-BBE7-402F-9672-9DEB5EF0BC31}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File FirewallRules: [{0F654D76-6E02-4647-98D5-7B2C71BA1BA6}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File FirewallRules: [{FF52431F-683A-48E5-9A4F-68C4E6C7A844}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe => No File FirewallRules: [{BAA9A59C-5DDF-438B-9C70-C2FB3E9433DC}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe => No File FirewallRules: [{5E1C5ED4-2EB2-432C-9323-D1BF81CC5CBB}] => (Allow) C:\Users\morteza\AppData\Local\Programs\Opera\58.0.3135.79\opera.exe => No File FirewallRules: [{7E021A8F-9EC5-4933-BFB6-F9622F27BED1}] => (Allow) C:\Users\morteza\AppData\Local\Programs\Opera\57.0.3098.91\opera.exe => No File FirewallRules: [{BE30A4FE-6CC1-4338-87A6-4C535E74A69F}] => (Allow) C:\Users\morteza\AppData\Local\Temp\7ZipSfx.002\bin\tools\aria2c.exe => No File C:\Program Files\Common Files\System\symsrv.dll Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  5. Hello @feras, Welcome to the Emsisoft Support Forums. Please read this Topic. It contains information about your situation and whether or not your files can be decrypted. https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  6. Hello @sidescratches, Welcome to the Emsisoft Support Forums. That detection looks like a JavaScript file that was dropped in the browser cache. The best way to block those is to use an Ad-blocker extension like uBlock Origin.
  7. "C:\Program Files\Common Files\System\symsrv.dll" is a legitimate Microsoft DLL in the correct location. To verify please submit the file to VirusTotal and post the results URL to your reply.
  8. Have RogueKiller remove the following: [Tr.Gen (Malicious)] (folder) SystemID -- C:\SystemID -> Found [Tr.Razy (Malicious)] (file) fgrescu -- C:\Users\Admin\AppData\Roaming\fgrescu -> Found
  9. I understand it is frustrating, but currently, we cannot decrypt files with an Offline-ID that we do not have the Private Encryption Key in our Database. Please read this Topic. It contains information about your situation and whether or not your files can be decrypted. https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  10. @AbleTech2021, If this on behalf of a business, please contact our Ransomware Recovery team using the web form at https://www.emsisoft.com/en/tools/ransomware-recovery/inquire/ Someone from our Ransomware Recovery team will contact you by email. We will follow up with you via email within the next 12-24 hours.
×
×
  • Create New...